<html>
<head><meta charset="utf-8"><title>Highlighting unsafe code · t-lang/wg-unsafe-code-guidelines · Zulip Chat Archive</title></head>
<h2>Stream: <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/index.html">t-lang/wg-unsafe-code-guidelines</a></h2>
<h3>Topic: <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Highlighting.20unsafe.20code.html">Highlighting unsafe code</a></h3>

<hr>

<base href="https://rust-lang.zulipchat.com">

<head><link href="https://rust-lang.github.io/zulip_archive/style.css" rel="stylesheet"></head>

<a name="203655357"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Highlighting%20unsafe%20code/near/203655357" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> XAMPPRocky <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Highlighting.20unsafe.20code.html#203655357">(Jul 12 2020 at 18:37)</a>:</h4>
<p>Hello UCG, I was wondering what are the group's thoughts on tools that just highlight unsafe code in a codebase? I was thinking of writing something simple along these lines however I'm slightly hesitant over how people would use it as people sometimes see unsafe in your code as indicator for "bad" which I don't agree with, and I wouldn't want to spread that perception.</p>



<a name="203655469"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Highlighting%20unsafe%20code/near/203655469" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Jake Goulding <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Highlighting.20unsafe.20code.html#203655469">(Jul 12 2020 at 18:40)</a>:</h4>
<p>What kind of "highlight"? The emacs rust-mode already changes the color of the keyword <code>unsafe</code> to red, for example.</p>



<a name="203655486"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Highlighting%20unsafe%20code/near/203655486" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> XAMPPRocky <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Highlighting.20unsafe.20code.html#203655486">(Jul 12 2020 at 18:41)</a>:</h4>
<p>Well let’s say it was number of unsafe lines.</p>



<a name="203655553"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Highlighting%20unsafe%20code/near/203655553" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Jonas Schievink  [he/him] <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Highlighting.20unsafe.20code.html#203655553">(Jul 12 2020 at 18:43)</a>:</h4>
<p>That's roughly what cargo-geiger does, but on an item/expression level <a href="https://github.com/rust-secure-code/cargo-geiger">https://github.com/rust-secure-code/cargo-geiger</a></p>



<a name="203655565"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Highlighting%20unsafe%20code/near/203655565" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Jonas Schievink  [he/him] <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Highlighting.20unsafe.20code.html#203655565">(Jul 12 2020 at 18:43)</a>:</h4>
<p>rust-analyzer can highlight individual unsafe operations inside unsafe blocks too (but that's probably more useful for authoring unsafe code)</p>



<a name="203655617"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Highlighting%20unsafe%20code/near/203655617" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Jonas Schievink  [he/him] <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Highlighting.20unsafe.20code.html#203655617">(Jul 12 2020 at 18:44)</a>:</h4>
<p>I think <span class="user-mention" data-user-id="119009">@eddyb</span> came up with a better way to do what cargo-geiger approximates by using rustc directly</p>



<a name="203655632"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Highlighting%20unsafe%20code/near/203655632" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> XAMPPRocky <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Highlighting.20unsafe.20code.html#203655632">(Jul 12 2020 at 18:45)</a>:</h4>
<p>Sure, I know there are tools that can do this, I am more interested in people’s opinions on whether it’s something that <em>should</em> be done, or if it’s unhelpful?</p>



<a name="203655633"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Highlighting%20unsafe%20code/near/203655633" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Jonas Schievink  [he/him] <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Highlighting.20unsafe.20code.html#203655633">(Jul 12 2020 at 18:45)</a>:</h4>
<p>Ah yeah that's all explained here <a href="https://github.com/rust-secure-code/cargo-geiger/issues/102">https://github.com/rust-secure-code/cargo-geiger/issues/102</a></p>



<a name="203655679"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Highlighting%20unsafe%20code/near/203655679" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Jonas Schievink  [he/him] <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Highlighting.20unsafe.20code.html#203655679">(Jul 12 2020 at 18:46)</a>:</h4>
<p>I guess that depends on what the goal is</p>



<a name="203655813"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Highlighting%20unsafe%20code/near/203655813" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> XAMPPRocky <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Highlighting.20unsafe.20code.html#203655813">(Jul 12 2020 at 18:50)</a>:</h4>
<p>Well that’s what I mean. These tools indicate presence, but don’t really indicate anything about the code beyond that. So it’s left up to you the user to figure out what to do with that information.</p>



<a name="203656091"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Highlighting%20unsafe%20code/near/203656091" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> XAMPPRocky <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Highlighting.20unsafe.20code.html#203656091">(Jul 12 2020 at 18:58)</a>:</h4>
<p>Like I think the worse case I’m thinking about is having people use it, see that someone else’s code has unsafe code, and uses it to be rude to them. Which I’ve seen a couple of times.</p>



<a name="203656110"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Highlighting%20unsafe%20code/near/203656110" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Jonas Schievink  [he/him] <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Highlighting.20unsafe.20code.html#203656110">(Jul 12 2020 at 18:59)</a>:</h4>
<p>Oh yeah definitely</p>



<a name="203656219"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Highlighting%20unsafe%20code/near/203656219" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Jonas Schievink  [he/him] <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Highlighting.20unsafe.20code.html#203656219">(Jul 12 2020 at 19:01)</a>:</h4>
<p>I think that pretty much any tool that's similar to cargo-geiger will run into that problem</p>



<a name="203656436"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Highlighting%20unsafe%20code/near/203656436" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Poliorcetics <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Highlighting.20unsafe.20code.html#203656436">(Jul 12 2020 at 19:06)</a>:</h4>
<p>Often posts (I am thinking about reddit) heavily discourage from unsafe without providing the other side. The docs are much more neutral on this, maybe something could be done to communicate more about them ?</p>



<a name="203656456"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Highlighting%20unsafe%20code/near/203656456" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Poliorcetics <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Highlighting.20unsafe.20code.html#203656456">(Jul 12 2020 at 19:07)</a>:</h4>
<p>The nomicon is very good for this IMO, explaining about real world usages of unsafe</p>



<a name="203666648"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Highlighting%20unsafe%20code/near/203666648" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Lokathor <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Highlighting.20unsafe.20code.html#203666648">(Jul 12 2020 at 23:38)</a>:</h4>
<p>Between <code>cargo-geiger</code> and <code>cargo-crev</code> it's kinda up to the user to determine if they trust the <code>unsafe</code> in question.</p>



<a name="203666721"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Highlighting%20unsafe%20code/near/203666721" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Lokathor <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Highlighting.20unsafe.20code.html#203666721">(Jul 12 2020 at 23:40)</a>:</h4>
<p>The <code>safe_arch</code> crate uses <code>unsafe</code> 862 times, but I don't think that says anything at all about the quality or not of the crate.</p>



<a name="203684546"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Highlighting%20unsafe%20code/near/203684546" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Highlighting.20unsafe.20code.html#203684546">(Jul 13 2020 at 07:22)</a>:</h4>
<p><span class="user-mention silent" data-user-id="219696">XAMPPRocky</span> <a href="#narrow/stream/136281-t-lang.2Fwg-unsafe-code-guidelines/topic/Highlighting.20unsafe.20code/near/203655357">said</a>:</p>
<blockquote>
<p>Hello UCG, I was wondering what are the group's thoughts on tools that just highlight unsafe code in a codebase? I was thinking of writing something simple along these lines however I'm slightly hesitant over how people would use it as people sometimes see unsafe in your code as indicator for "bad" which I don't agree with, and I wouldn't want to spread that perception.</p>
</blockquote>
<p>I am not sure the group has thoughts on that. Our mandate is mostly to figure out what may and may not be done by unsafe code. (I realize "guidelines" is a somewhat misleading name then and maybe I am misrepresenting <span class="user-mention" data-user-id="116009">@nikomatsakis</span>' intentions.)</p>



<a name="203684572"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Highlighting%20unsafe%20code/near/203684572" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Highlighting.20unsafe.20code.html#203684572">(Jul 13 2020 at 07:23)</a>:</h4>
<p><a class="stream" data-stream-id="146229" href="/#narrow/stream/146229-wg-secure-code">#wg-secure-code</a> sounds like more the kind of place where people have thoughts on cargo-geiger, cargo-audit, cargo-crev etc?</p>



<a name="203687588"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Highlighting%20unsafe%20code/near/203687588" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> XAMPPRocky <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Highlighting.20unsafe.20code.html#203687588">(Jul 13 2020 at 08:06)</a>:</h4>
<p><span class="user-mention" data-user-id="120791">@RalfJ</span> Well I’m not looking for the team to make a guideline or anything, I was more just interested in opinions.</p>



<a name="203687607"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Highlighting%20unsafe%20code/near/203687607" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> XAMPPRocky <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Highlighting.20unsafe.20code.html#203687607">(Jul 13 2020 at 08:07)</a>:</h4>
<p>Sorry if that was not clear.</p>



<a name="203688115"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Highlighting%20unsafe%20code/near/203688115" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Highlighting.20unsafe.20code.html#203688115">(Jul 13 2020 at 08:13)</a>:</h4>
<p>fair :)</p>



<a name="203688338"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Highlighting%20unsafe%20code/near/203688338" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Highlighting.20unsafe.20code.html#203688338">(Jul 13 2020 at 08:16)</a>:</h4>
<p>I dont think sheer number of unsafe lines is very useful. but what I think would be useful would be some way to ensure that crates follow some "best practices" regarding their unsafe blocks. like, are there <code>SAFETY</code> comments? maybe we can even standardize some scheme where <code>unsafe fn</code> <em>name</em> the preconditions they expect (<code>ptr_not_dangling</code>, <code>idx_in_bounds</code>) and then the <code>SAFETY</code> comments need to explicitly discharge (or forward to the caller) each of these preconditions.</p>



<a name="203688363"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Highlighting%20unsafe%20code/near/203688363" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Highlighting.20unsafe.20code.html#203688363">(Jul 13 2020 at 08:16)</a>:</h4>
<p>Something like that is proposed regularly, sometimes as a language extension, but I think it can start as an external tool</p>



<a name="203733264"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Highlighting%20unsafe%20code/near/203733264" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> XAMPPRocky <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Highlighting.20unsafe.20code.html#203733264">(Jul 13 2020 at 15:57)</a>:</h4>
<p><span class="user-mention" data-user-id="120791">@RalfJ</span> I was thinking about only counting unsafe blocks as opposed to unsafe fns, both because it's easier and more inline with people's current opinions on <code>unsafe fn</code> being signifier for being unsafe to call rather than implying <code>unsafe</code> in the body.</p>



<hr><p>Last updated: Aug 07 2021 at 22:04 UTC</p>
</html>